Splunk Search
Highlighted

How Can I Save Three Count Searches Separated And Then Use Them Together Later?

Contributor

I have some conditions for each search as follows:

Search A

index=users Channel=40 
| eval Token = User."-".Channel
| stats count by Token

Search B

index=mobile Code=5 OR Code=3 AND Mobile=1 OR Mobile=2
| stats count by Connection

Search C

index=mobile Code=5 OR Code=3 AND Mobile=5 OR Mobile=3 channel=*
| eval Token = user."-".channel
| stats count by Token

Should I save those counts separated? How can I do that...
My main table should show:

Search A count
Search B count
Search C count
Search A + Search B count
Search A + Search C count
Search B + Search C count
Search A + Search B + Search C count

It's like 3 queries inside one main query, but counts are different...
Note that in Search A Channel has an Upper case and in Search C it's lower case...

Tags (4)
0 Karma
Highlighted

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

Contributor

I have three searches and two indexes, is it possible, to make a dashboard that counts groupped stats over them?

0 Karma
Highlighted

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

Have you tried using subsearches and the append or appendcols searchcommand?

Appendcols

0 Karma
Highlighted

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

Ultra Champion

another approach is to run 3 searches and to save the results with a summary indexing or an outputlookup command.
then run a 4rd search retrieving the results from each of them (summary search, or inputlookup with appendcols/append)
Do not forget to add an extra column to your results for the value A/B/C to distinguish them

View solution in original post

Highlighted

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

Contributor

Got it, still don't know how to do it altough...
I can't do it via LookUp cuz of data amount is too high...
How would I create this new index mixing variables?
For example, I have Channel in index=A and ch in index=B, both acctually represent the same field same values but different indexes...
Sorry, I never used a subquery or saved search, how should I do that? Do I need to upload a new file or I use all searches in the same place?
Thanks in advance @yannK

0 Karma
Highlighted

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

Ultra Champion
0 Karma
Highlighted

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

Contributor

Should I use a kind of JOIN for this operation? Or do you think it's possible to make the whole search for all indexes just using subsearches?
I think a lookup for this search won't be possible cuz of the amount of data...
But, after I create a new index, summarized based on two indexes, how do I fill what data I want inside this new index coming from other previous two indexes...

0 Karma
Highlighted

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

Contributor

How can I make this subsearch test work?
I wanna make these fields the same or table'em together to start...

index="mobile" channel=* account=* 
[search index="main" Channel=* Account=*]
| table channel account Channel Account
0 Karma
Highlighted

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

Ultra Champion

Not really, to append a sub search use

 index="mobile" channel=* account=* 
| append [search index="main" Channel=* Account=*]
| table channel account Channel Account

If you want to group with a join on the channel and account

 index="mobile" channel=* account=* 
| join Channel Account [search index="main" Channel=* Account=* ]
| table channel account Channel Account

Remember the 10000 limit, a better solution is to do the stats in the subsearch before


But If all that you want is to get all the results in a single search, try

( index="mobile" channel=* account=* ) OR ( index="main" Channel=* Account=*) | stats count by Token index
Highlighted

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

Contributor

But In this case, will channel and account fields work as the same fields for both indexes? Considering that one is Uppercase and the other one is Lowercase, I should convert'em into a new field for a new index for example?
Thanks for the explanation @yannK

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.